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REMARKS 

In view of the following discussion, the Applicants submit that none of the 
claims now pending in the application are obvious under the provisions of 35 
U.S.C. § 103. Thus, the Applicants believe that all of these claims are now in 
allowable form. 

i. REJECTION OF CLAIMS 1-8 AND 10-19 UNDER 35 U.S.C. S 103 

A. Claims 1.3. 5-8, 11-15. 17 and 19 

The Examiner rejected claims 1, 3, 5-8, 11-15, 17 and 19 as being 
unpatentable over Talpade, et al. (U.S. Patent Publication No. 2004/0148520, 
published on July 29, 2004, hereinafter referred to as "Talpade") in view of Stone, 
et al. (U.S. Patent No. 7,062,782, issued on June 13, 2006, hereinafter referred 
to as "Stone"). The Applicants respectfully traverse the rejection. 

Talpade teaches mitigating denial of service attacks. Talpade teaches 
rerouting all traffic from all routers to a filter router when a denial of service attack 
is detected. (See Talpade, Abstract). 

Stone teaches an overlay network for tracking denial of service floods in 
unreliable datagram delivery networks. An approach for tracking DOS flood 
attacks using an overlay IP network is disclosed. (See Stone, Abstract). 

The Examiner's attention is directed to the fact that Talpade and Stone, 
either alone or in any permissible combination, fail to teach or suggest a network 
or method comprising a router for injecting a routing instruction or a second IP 
address comprising a routing instruction having a same IP address as a first IP 
address, but with a higher preference value than the first IP address and having 
a community value such that a selected first number of edge routers direct VPN 
traffic addressed for said first IP address to said VPN application and a selected 
second number of edge routers direct VPN traffic addressed for said second IP 
address to said black-hole router , as positively claimed by the Applicants. 
Specifically, Applicants' independent claims 1, 8 and 15 positively recite: 

1 . An internet service provider (ISP) Virtual Private Network (VPN) 
network comprising: 
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a plurality of edge routers; 

a plurality of core routers adapted to allow communication between 

said plurality of edge routers; 

a VPN application in communication with a first one of said plurality 

of edge routers, said VPN application having a first IP address; and 

a black-hole router in communication with said plurality of core 

routers, said black-hole router adapted to inject a second IP address into 

said ISP VPN network, said second IP address comprising: 
a same IP address as the first IP address; 
a higher preference value than said first IP address; and 
a communitv value such that when said second IP address 
is injected, a selected first number of edge routers direct VPN traffic 
addressed for said first IP address to said VPN application and a 
selected second number of edge routers direct VPN traffic 
addressed for said second IP address to said black-hole router . 
(Emphasis added). 

8. An internet service provider (ISP) network comprising: 
a plurality of edge routers; 

an application in direct or indirect electrical communication with a 
first one of said plurality of edge routers; 

said application having a first IP address such that Virtual Private 
Network (VPN) traffic addressed for said first IP address and entering said 
ISP network at anyone of said plurality of edge routers, is routed to said 
application; 

a black-hole router; and 

a router adapted to inject an instruction into said ISP network, such 
that one or more select edge routers redirect VPN traffic, which is 
addressed to said first IP address, to said black-hole route r, wherein said 
injected instruction comprises a routing instruction having a same IP 
address as said first IP address, but with a higher preference value than 
said first IP address and having a communitv value . (Emphasis added). 

15. A method of managing a Distributed Denial of Service (DDoS) attack 
on an application within an internet service provider (ISP) network, said 
application having a first IP address, said method comprising: 

injecting a Border Gateway Protocol (BGP) routing instruction into 
said ISP network when said DDoS attack is occurring , said BGP routing 
instruction comprising a second IP address having a same IP address as 
said first IP address, but with a higher preference value than said first IP 
address and having a communitv value : 

redirecting, at one or more selected edge routers, VPN traffic 
addressed for said second IP address to a black-hole router; and 

directing, at one or more other edge routers, VPN traffic addressed 
for said first IP address to said application that is experiencing said DDoS 
attack. (Emphasis added). 
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In one embodiment, the present invention provides a network or metliod 
comprising a router for injecting a routing instruction or a second IP address 
comprising a routing instruction having a same IP address as a first IP address, 
but with a higher preference value than the first IP address and having a 
community value such that a selected first number of edge routers direct VPN 
traffic addressed for said first IP address to said VPN application and a selected 
second number of edge routers direct VPN traffic addressed for said second IP 
address to said black-hole router . For example, the Applicants' invention may 
selectively re-route traffic of one or more edge routers by using preference and 
community values of an injected instruction or second IP address that is identical 
to a first address. (See e.g., Applicants' specification, page 1 1 , line 16 - page 
12, line 5). 

Talpade and Stone fail to render obvious the Applicants' invention 
because Talpade and Stone fail to teach or suggest a network or method 
comprising a router for injecting a routing instruction or a second IP address 
comprising a routing instruction having a same IP address as a first IP address, 
but with a higher preference value than the first IP address and having a 
community value such that a selected first number of edge routers direct VPN 
traffic addressed for said first IP address to said VPN application and a selected 
second number of edge routers direct VPN traffic addressed for said second IP 
address to said black-hole router . First, the Applicants note that Talpade teaches 
away from the Applicants' invention. The Applicants' invention teaches that only 
a select number of edge routers (i.e., less than all or a subset of all the routers) 
are instructed to re-direct traffic to the black hole router, while the remaining 
routers continue to fonward traffic to the VPN application. Thus, only some of the 
VPN traffic is diverted to the black hole router. 

In stark contrast, Talpade explicitly teaches that all traffic is redirected to 
the router filter. Talpade teaches "[t]he new routing information instructs the 
border and edge routers to reroute all DDoS and non-DDoS traffic directed at the 
customer network under attack to the filter router using the IP-in-IP tunnels. (See 
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Talpade, para. [0009], emphasis added). As noted above, the Applicants' 
invention teaches that the injected routing instruction contains a second IP 
address that is the same as the first IP address, but having a higher preference 
value and a community value. In other words, all traffic is still forwarded to the 
system under attack. However, once it reaches the system under attack, only 
some of the traffic is diverted to the black hole router, while the remaining traffic 
is fonwarded to the VPN application. In other words, unlike Talpade, the 
Applicants' invention only diverts a portion of the VPN traffic destined for the 
system under attack to the black hole router. 

The Examiner is reminded that the MPEP § 2141 .02(VI) requires the 
Examiner to consider the prior art in its entirety . "A prior art reference must be 
considered in its entirety, i.e., as a whole, including portions that would lead away 
from the claimed invention". MPEP § 2141.02(VI), W.L. Gore & Associates. Inc.. 
V. Garlock. Inc. . 721 F.2d 1540, 220 USPQ 303 (Fed Cir. 1983), cert, denied, 469 
U.S. 851 (1984). Thus, using Talpade with any combination of other references 
would still teach awav from the Applicants' invention. The Examiner is expressly 
prohibited from ignoring those portions of Talpade that explicitly teach awav from 
the Applicants' invention. 

Moreover, the Examiner concedes that Talpade fails to teach or suggest 
the above limitation in the Office Action. (See Office Action, p. 3, §4). However, 
the Examiner asserts that Stone bridges the substantial gap left by Talpade. The 
Applicants respectfully disagree. 

Stone fails to bridge the substantial gap left by Talpade because Stone 
also fails to teach or suggest a network or method comprising a router for 
injecting a routing instruction or a second IP address comprising a routing 
instruction having a same IP address as a first IP address, but with a higher 
preference value than the first IP address and having a community value such 
that a selected first number of edge routers direct VPN traffic addressed for said 
first IP address to said VPN application and a selected second number of edge 
routers direct VPN traffic addressed for said second IP address to said black- 
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hole router . Stone only teaches a method for tracking a DDos attack. (See 
Stone, generally). 

Moreover, the Examiner asserts that creating a static route, as taught by 
Stone, is equivalent to a router for injecting a routing instruction or a second IP 
address comprising a routing instruction having a same IP address as a first IP 
address, but with a higher preference value than the first IP address and having 
a community value such that a selected first number of edge routers direct VPN 
traffic addressed for said first IP address to said VPN application and a selected 
second number of edge routers direct VPN traffic addressed for said second IP 
address to said black-hole router . Notably, establishing a static route Is not 
eguivalent to injecting an IP address. Nor does Stone teach or suggest any use 
of a community value. 

Even if the Examiner's interpretation is considered, in arguendo, Stone still 
would teach away from the Applicants' invention. Stone teaches that both the 
static route and the overlay IP tunnels still send traffic to the same destination , 
i.e., the edge router 515. (See Stone, col. 8, 1. 65 - col. 9, 1. 13). In stark 
contrast, the injected second IP address and the community value cause traffic 
from routers to be directed to different destinations , e.g., the black-hole router 
and the VPN application having the first IP address. 

Furthermore, even if Talpade and Stone were combined, the combination 
would still fail to teach or suggest the Applicants' invention. The combination of 
Talpade and Stone would only teach a tracking router for tracking a DDoS attack, 
as taught by Stone, and a system for resolving the DDoS that redirects all traffic 
to the router filter, as taught by Talpade. Thus, the combination of Talpade and 
Stone fails to render obvious Applicants' independent claims 1 , 8 and 15. 

In addition, dependent claims 3, 5-7, 1 1-14, 17 and 19 depend from 
independent claims 1, 8 and 15, respectively, and recite additional limitations. As 
such, and for the exact same reason set forth above, the Applicants submit that 
claims 3, 5-7, 11-14, 17 and 19 are also patentable over Talpade and Stone and 
respectfully request the rejection be withdrawn. 
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B. Claims 4 and 18 

The Examiner rejected claims 4 and 18 as being unpatentable over 
Talpade and Stone and in further view of Afek, et al. (U.S. Patent Publication No. 
2002/0083175, published on June 27, 2002, hereinafter referred to as "Afek"). 
The Applicants respectfully traverse the rejection. 

The teachings of Talpade and Stone are discussed above. Afek teaches 
methods and apparatus for protecting against overload conditions on nodes of a 
distributed network. Afek teaches diverting traffic intended to a victim to one or 
more guardian nodes for filtering traffic when a denial of service attack is 
detected. (See Afek, Abstract; para. [0246] - [0265]). 

The Examiner's attention is directed to the fact that Talpade, Stone and 
Afek, alone or in any permissible combination, fail to disclose the network or 
method comprising a router for injecting a routing instruction or a second IP 
address comprising a routing instruction having a same IP address as a first IP 
address, but with a higher preference value than the first IP address and having 
a communitv value such that a selected first number of edge routers direct VPN 
traffic addressed for said first IP address to said VPN application and a selected 
second number of edge routers direct VPN traffic addressed for said second IP 
address to said black-hole route , as positively claimed by the Applicants' 
independent claims 1, 8 and 15. (See supra). As discussed above, the alleged 
combination (as taught Talpade and Stone) simply does not teach or suggest the 
novel network or method comprising a router for injecting a routing instruction or 
a second IP address comprising a routing instruction having a same IP address 
as a first IP address, but with a higher preference value than the first IP address 
and having a communitv value such that a selected first number of edge routers 
direct VPN traffic addressed for said first IP address to said VPN application and 
a selected second number of edge routers direct VPN traffic addressed for said 
second IP address to said black-hole route . 

Moreover, Afek does not bridge the substantial gap left by Talpade and 
Stone because Afek also fails to teach or suggest a network or method 
comprising a router for injecting a routing instruction or a second IP address 
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comprising a routing instruction having a same IP address as a first IP address, 
but with a higher preference value than the first IP address and having a 
community value such that a selected first number of edge routers direct VPN 
traffic addressed for said first IP address to said VPN application and a selected 
second number of edge routers direct VPN traffic addressed for said second IP 
address to said black-hole route . As previously argued, Afek teaches away from 
the Applicants' invention. Afek teaches "[u]pon receiving the alert of a possible 
attack on a victim all these border routers are set to forward all the traffic arriving 
from outside of the network (protected area) and whose destination IP address is 
the victim public IP address, to the guard machine which Is placed next to them." 
(See Afek, para. [0257], emphasis added). 

The Examiner is reminded that the MPEP § 2141 .02(VI) requires the 
Examiner to consider the prior art in its entirety . "A prior art reference must be 
considered in its entirety, i.e., as a whole, including portions that would lead away 
from the claimed invention". MPEP § 2141.02(VI), W.L. Gore & Associates. Inc.. 
V. Garlock. Inc. . 721 F.2d 1540, 220 USPQ 303 (Fed Cir. 1983), cert, denied, 469 
U.S. 851 (1984). Thus, using Talpade and Afek with any combination of other 
references would still teach away from the Applicants' invention. The Examiner 
is expressly prohibited from ignoring those portions of Talpade and Afek that 
explicitly teach away from the Applicants' invention. 

Furthermore, even if Talpade, Stone and Afek were combined, the 
combination would still fail to teach or suggest the Applicants' invention. The 
combination of Talpade, Stone and Afek would only teach a tracking router for 
tracking a DDoS attack, as taught by Stone, and a system for resolving the DDoS 
that redirects all traffic to the router filter or guardian, as taught by Talpade and 
Afek. Thus, for all of the above reasons, the Applicants respectfully contend that 
claims 1 , 8 and 15 of the present invention are not made obvious by the 
combination of Talpade, Stone and Afek. 

Moreover, dependent claims 4 and 1 8 depend from independent claims 1 
and 15, respectively, and recite additional limitations. As such, and for the exact 
same reason set forth above with regard to independent claims 1 and 15 being 



Page 12 



PATENT 

Atty. Dkt. No. ATT/2003-0018 

patentable over Talpade, Stone and Afek, the Applicants submit that claims 4 
and 18 are also patentable over Talpade, Stone and Afek. As such, the 
Applicants respectfully request the rejection be withdrawn. 

C. Claims 2. 10 and 16 

The Examiner rejected claims 2, 10 and 16 as being unpatentable over 
Talpade and Stone and in further view of Yamauchi (U.S. Patent Publication No. 
2002/0037010, published on March 28, 2002, hereinafter referred to as 
"Yamauchi"). The Applicants respectfully traverse the rejection. 

The teachings of Talpade and Stone are discussed above. Yamauchi 
teaches a MPLS-VPN service network. The MPLS-VPN service network 
includes an interface identifying device. (See Yamauchi, Abstract). 

The Examiner's attention is directed to the fact that Talpade, Stone and 
Yamauchi, alone or in any permissible combination, fail to disclose the network 
or method comprising a router for injecting a routing instruction or a second IP 
address comprising a routing instruction having a same IP address as a first IP 
address, but with a higher preference value than the first IP address and having 
a community value such that a selected first number of edge routers direct VPN 
traffic addressed for said first IP address to said VPN application and a selected 
second number of edge routers direct VPN traffic addressed for said second IP 
address to said black-hole route , as positively claimed by the Applicants' 
independent claims 1 , 8 and 15. (See supra). As discussed above, the alleged 
combination (as taught Talpade and Stone) simply does not teach or suggest the 
novel network or method comprising a router for Injecting a routing instruction or 
a second IP address comprising a routing instruction having a same IP address 
as a first IP address, but with a higher preference value than the first IP address 
and having a community value such that a selected first number of edge routers 
direct VPN traffic addressed for said first IP address to said VPN application and 
a selected second number of edge routers direct VPN traffic addressed for said 
second IP address to said black-hole route . 

Moreover, Yamauchi does not bridge the substantial gap left by Talpade 
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and stone because Yamauchi also fails to teach or suggest a network or method 
comprising a router for injecting a routing instruction or a second IP address 
comprising a routing instruction having a same IP address as a first IP address, 
but with a higher preference value than the first IP address and having a 
community value such that a selected first number of edge routers direct VPN 
traffic addressed for said first IP address to said VPN application and a selected 
second number of edge routers direct VPN traffic addressed for said second IP 
address to said black-hole route . Yamauchi only teaches a MPLS-VPN service 
network. (See Yamauchi, Abstract). Thus, for all of the above reasons, the 
Applicants respectfully contend that claims 1,8 and 15 of the present invention 
are not made obvious by the combination of Talpade, Stone and Yamauchi. 

Moreover, dependent claims 2, 10 and 16 depend from independent 
claims 1, 8 and 15, respectively, and recite additional limitations. As such, and 
for the exact same reason set forth above with regard to independent claims 1 , 8 
and 15 being patentable over Talpade, Stone and Yamauchi, the Applicants 
submit that claims 2, 10 and 16 are also patentable over Talpade, Stone and 
Yamauchi. As such, the Applicants respectfully request the rejection be 
withdrawn. 
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CONCLUSION 



Thus, the Applicants submit that all of these claims now fully satisfy the 
requirements of 35 U.S.C. § 103. Consequently, the Applicants believe that all 
these claims are presently in condition for allowance. Accordingly, both 
reconsideration of this application and its swift passage to issue are earnestly 
solicited. 

If, however, the Examiner believes that there are any unresolved issues 
requiring the issuance of a final action in any of the claims now pending in the 
application, it is requested that the Examiner telephone Mr. Kin-Wah Tonq. Esq. 
at (732) 842-8110 x130 so that appropriate arrangements can be made for 
resolving such issues as expeditiously as possible. 



Respectfully Submitted, 



September 9. 2009 




Wall & Tong, LLP 

595 Shrewsbury Avenue 

Shrewsbury, New Jersey 07702 



Kin-Wah Tong, Attorney 
Reg. No. 39,400 
(732) 842-8110x130 



Page 15 



